Opened 37 minutes ago

Last modified 23 minutes ago

#37209 assigned Bug

`UserAttributeSimilarityValidator` uses unordered string comparison

Reported by: Terence Honles Owned by: Terence Honles
Component: contrib.auth Version:
Severity: Normal Keywords:
Cc: Terence Honles Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

UserAttributeSimilarityValidator only uses the SequenceMatcher.quick_ratio method (which uses an unordered comparison of two strings and is only intended to be used as an upper bound)

This causes what I would consider "false positives" for strings that are not actually similar (any anagram will produce a ratio of 1 (exactly equal)).

I discovered this because we had a flaky test in our CI (with a user having attributes generated using Faker) and I finally spent some time to investigate the flaky test. The two strings (lowercased) were "andrews" and "new-password", which lead me to wonder how those could be considered 70% similar.

I have added a test with the anagrams: "enumerations" & "mountaineers"

Attachments (1)

patch.diff (1.4 KB ) - added by Terence Honles 23 minutes ago.

Download all attachments as: .zip

Change History (2)

by Terence Honles, 23 minutes ago

Attachment: patch.diff added

comment:1 by Terence Honles, 23 minutes ago

The SequenceMatcher's quick_ratio method has been used since the validators were added to Django in v1.9 (1daae25bdcd735151de394a5578c22257e3e5dc7), and since my PR was automatically closed, here's the same patch

Note: See TracTickets for help on using tickets.
Back to Top